Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Similar presentations


Presentation on theme: "October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015."— Presentation transcript:

1 October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015

2 University of Tulsa - Center for Information Security History of DNS Before DNS: Hosts.txt file For a good summary of the history of DNS: http://www.whmag.com/content/0601/dns/page 3.asphttp://www.whmag.com/content/0601/dns/page 3.asp

3 October 8, 2015 University of Tulsa - Center for Information Security DNS Standard Documents This is listed out on the web. This site contains RFC numbers and RFC drafts. http://msdn.microsoft.com/library/default.asp? url=/library/en- us/dns/dnsstartpage_2lgl.asp?frame=truehttp://msdn.microsoft.com/library/default.asp? url=/library/en- us/dns/dnsstartpage_2lgl.asp?frame=true

4 October 8, 2015 University of Tulsa - Center for Information Security What is DNS? Stands for Domain Name System Locator Service that translates user friendly names (such as www.utulsa.edu) into addresses that the network can recognize (129.244.1.91)www.utulsa.edu Primary locator service for Active Directory; therefore considered base service for both Windows 2000 and Active Directory

5 October 8, 2015 University of Tulsa - Center for Information Security Example Using DNS Alice would ask who was the authoritative for all of the host names at site B. Alice would receive an answer such as “nmServerB” Alice asks nmServerB “What is Bob’s IP address?” nmServerB replies to Alice with Bob’s IP address With Bob’s IP address, Alice can begin direct communication with Bob

6 October 8, 2015 University of Tulsa - Center for Information Security The Domain Namespace Tree data structure that contains DNS’s distributed database indexed by domain names –Each node has a text label different than all other siblings Domain name : sequence of labels on the path from that node to the root –Data associated with a domain name is stored in a resource record Domain : subtree of the domain namespace

7 October 8, 2015 University of Tulsa - Center for Information Security The Internet Domain Namespace Top-Level domains : com, edu, gov, mil, net, org, int, arpa, and geographical designations (uk, us, bm, aq) Reading domain names: –lithium.cchem.berkeley.edu –www.utulsa.eduwww.utulsa.edu –www.cis.utulsa.eduwww.cis.utulsa.edu

8 October 8, 2015 University of Tulsa - Center for Information Security Delegation Goal: decentralize administration Delegate administrative duties to subdomains –Retain pointers to the sources of the subdomains data –Queries can then be referred to authority for subdomain

9 October 8, 2015 University of Tulsa - Center for Information Security Name Servers and Zones Programs that store information about the domain namespace are called name servers Name servers have complete information about some part of the domain namespace, called a zone –The name server is then said to have authority over that zone

10 October 8, 2015 University of Tulsa - Center for Information Security Types of Name Servers Primary master name server reads data for the zone from a file on its host Secondary master gets zone data from the name server that is authoritative for the zone –Zone transfer : when the secondary master retrieves zone data from the primary master

11 October 8, 2015 University of Tulsa - Center for Information Security Resolvers Clients that access name servers Handles: –Querying the name server –Interpreting responses –Returning the information to the programs that requested it In Windows 2000, a resolver is a set of library routines

12 October 8, 2015 University of Tulsa - Center for Information Security Resolution Resolution is the process of searching through the domain namespace to find data for which they’re not authoritative –Only requires domain names and addresses of root name servers Root name servers refer requests to the top level domain server the domain name ends in In turn, each name server queried will provide either the answer or refers the request to a “closer” name server

13 October 8, 2015 University of Tulsa - Center for Information Security Recursion / Iteration Recursive query –Places most of the burden of resolution on a single name server –Queried name server is obliged to respond with the requested data or with an error (can’t just refer query to a different name server) –A name server that receives a recursive query that it can’t answer itself will query the “closest known” name servers Iteration –Name server gives best answer it already knows –If it can’t directly answer the query, the name server will return a query to all name servers listed in its local data

14 October 8, 2015 University of Tulsa - Center for Information Security Choosing Between Authoritative Name Servers The Microsoft DNS Server uses roundtrip time (RTT) to choose between name servers authoritative for the same zone –RTTs are averaged in after each query –Average initially set very low so that each server will get queried before choosing favorites

15 October 8, 2015 University of Tulsa - Center for Information Security Mapping Addresses to Names Forward (names to addresses) –Straightforward search through a host table on the name server Reverse (addresses to names) –in-addr.arpa domain –Portion of the Internet domain namespace that uses addresses as labels

16 October 8, 2015 University of Tulsa - Center for Information Security Caching Saves information about previous resolution processes The Microsoft DNS Server even implements negative caching : if an authoritative name server responds to a query saying the domain name doesn’t exist, this information is cached as well This cache data is given a time to live (TTL) for the data

17 October 8, 2015 University of Tulsa - Center for Information Security Securing Microsoft Windows 2000 DNS From the NSA Security Recommendations for Windows 2000 http://nsa1.www.conxion.com/win2k/download. htmhttp://nsa1.www.conxion.com/win2k/download. htm

18 October 8, 2015 University of Tulsa - Center for Information Security Zone Information Security Converting to an Active Directory Integrated Server Zone File and Registry Security

19 October 8, 2015 University of Tulsa - Center for Information Security Converting to an Active Directory Integrated Server Requires DNS server to be on a Windows 2000 Domain Controller Do a change zone type to Active Directory- integrated –Zone information stored, replicated, and secured in the Active Directory –Choose “only secure updates” option for Dynamic Updates –Recommended

20 October 8, 2015 University of Tulsa - Center for Information Security Zone File and Registry Security If zone information not stored in Active Directory, should secure the zone files –Folder: “%SystemDirectory%\DNS” –User Groups: System –Recommended Permissions: Full Control All DNS Servers should have the registry secured –Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ DNS” –User Groups: Administrator, System –Recommended Permissions: Full Control for both groups

21 October 8, 2015 University of Tulsa - Center for Information Security Controlling Zone Transfers Four options for zone transfers –Do not allow zone transfers Can still receive zone transfers and can respond to DNS queries –Allow zone transfers to any server Not recommended –Allow zone transfers to all servers listed in the Name Servers property tab Recommended when zone transfers will only be done within one domain –Allow zone transfers to a specific list of IP addresses Recommended when communicating between protected DNS servers and a DNS server that can be accessed from the internet Never transfer the forward lookup zone containing active directory records to any server that can be accessed via the internet

22 October 8, 2015 University of Tulsa - Center for Information Security DNS Server Configurations Several deployment methods for DNS in a Win2K environment DNS in an Enclosed Environment DNS with an Internet Presence DNS with an Internet Presence with Reverse Lookup Requirements DNS with Internet Presence with Forward and Reverse Lookup Zone Requirements

23 October 8, 2015 University of Tulsa - Center for Information Security DNS in an Enclosed Environment External router and firewall should block all DNS traffic (UDP and TCP port 53) DNS zones should be made Active Directory Integrated and only allow zone transfers to servers listed in the Name Servers tab

24 October 8, 2015 University of Tulsa - Center for Information Security DNS with an Internet Presence Separate the External DNS server from the DNS servers that are being utilized for the Windows 2000 domain Secure zone transfers to a specific list of servers, or no servers. If several servers are used within one DNS domain then control transfers using Name Servers Tab Secure file system and registry Disable all unnecessary services Disable dynamic updates Internet name resolution from internal network can be provided by forwarding requests to external DNS server

25 October 8, 2015 University of Tulsa - Center for Information Security DNS with an Internet Presence with Reverse Lookup Requirements Disconnected Reverse Lookup Zone –Add a reverse lookup zone to the external DNS server that contains a list of all the internal network IP addresses –Match each IP with a fictitious client name with the appropriate extension. This allows the IPs to be verified. –Recommended Secondary Reverse Lookup Zone –Add a reverse lookup zone to the external DNS server as a secondary zone to the internal network. –Add the external server to the list of valid DNS servers to allow zone transfers to on one internal DNS server. –Configure router & firewall to allow communication between the external and internal DNS servers. –Will show the internal server’s Start of Authority record in reverse lookup zone

26 October 8, 2015 University of Tulsa - Center for Information Security DNS with Internet Presence with Forward & Reverse Lookup Zone Requirements This configuration is not recommended, but may be necessary. –Exposes server records to internet –Allows attackers to completely map internal network Use a secure tunneling protocol between sites to secure zone transfers and protect the internal DNS server records. (Good) Add only the specific server records that are required for the network to function in the external DNS servers (Worse) Configure one external DNS server’s forward and reverse lookup zones to be secondary zones of one internal DNS server’s zones (Worst)

27 October 8, 2015 University of Tulsa - Center for Information Security Router and Firewall Settings DNS traffic: port 53 (UDP and TCP) –UDP 53: client queries –TCP 53: zone transfers Zone transfers not necessary outside protected network –TCP 53 should be disabled at internal, external, firewall, and DMZ routers If DNS configured to allow zone transfers between internal and external servers, then the internal router, firewall, and DMZ routers should allow connections on TCP 53 between those two servers only

28 October 8, 2015 University of Tulsa - Center for Information Security Questions?


Download ppt "October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015."

Similar presentations


Ads by Google